Cyber security research has developed significant capabilities for protecting against attacks originating externally (e.g., firewalls, intrusion detection systems, etc.); however, technology for protecting the cyber infrastructure from insiders is significantly weaker. The main emphasis on protecting against insider attacks has focused on developing security policies (e.g., physical security perimeters not allowing electronic devices in/out, stringent employee background checks and reviews etc.). In other words, most organizations still rely on perimeter network defenses to maintain security of their information. People working inside an enterprise are assumed to be working in the best interest of the organization and their behavior is guided by static security policies. However, attackers from inside an organization can exploit their access in ways that are subtle and extremely difficult to detect; for example, they may combine legitimate activities in such a way that the end result is no longer legitimate. The 2010 CyberSecurity Watch Survey (see the List of Cited Literature References, Literature Reference No. 1) points out that insiders commonly expose sensitive information or intellectual property, which in many cases are more costly and damaging than attacks originating from outside.
In another reference, it was pointed out that data leakage has emerged as the fastest growing insider attack (See Literature Reference No. 7). These issues were further investigated by McCormick, which presents recent events that have transpired that have driven a more intense look at insiders, such as reports from the Secret Service and CERT, highly publicized data thefts at major companies, and the financial services companies implementing data leak prevention programs (See Literature Reference No 5).
The focus on insider threats has lead to recent research by such groups as Columbia and others affiliated with I3P, RAND, MITRE, Sandia National Labs, and CERT (See Literature Reference Nos. 8-12, respectively). Most of the related work for detecting data leakage (or ex-filtration) can be categorized as either host-based user profiling or network-based sensors (See Literature Reference No. 22).
The host-based profiling techniques include Unix-style command line profiling, process profiling; and system call analysis (See. Literature Reference Nos. 19-21 respectively). They seek to determine the user's intent when issuing commands, “however most of this work failed to reveal or clarify the user's intent when issuing commands. The focus is primarily on accurately detecting change or unusual command sequences” (See Literature Reference No. 22). Therefore this can be helpful for low-level user profiling and for anomaly detection, but will be less applicable for high throughput analysis for detection of the masquerade ex-filtration mission where the mission can consist entirely of non-anomalous actions.
Two facets of network-based sensors approach are honey pots/honey tokens and network traffic monitoring. The first facet, honey pots and honey tokens, are computers or files which have no authorized usage and therefore any user accessing them is suspect. A key challenge is to make the honeypots and honey tokens appear realistic and non-detectable to the insider, because if the insider realizes their true nature they will simply ignore or circumvent them. Network traffic monitoring is focused on analyzing computer network traffic (either simply the packet header information or also content based analysis) in order to identify malicious network traffic.
Each of the prior methods discussed above exhibit limitations or only address part of the problem. Specifically, the prior art is not able to: (1) provide for early detection of insider behaviors; (2) overcome the detailed knowledge of the insider threat through reactive strategies; and (3) provide for robust detection of individual, legitimate activities that, when put together, become threatening.
Thus, a continuing need exists for a system that provides for a novel integrated approach for insider masquerade threat detection by leveraging early warning systems and reactive security strategies in conjunction with observation extraction and modeling techniques.